Login

A Login System for a PHP Email Application

We know from the previous article that the user ID is very important, in that it is used to retrieve various information from the database at various stages of the application. The login form sets this userID when you log in. It is the login system that will be the focus of this second part in a four-part series.

For anyone to use the application, they have to be authenticated (be a registered user of the system) or be given an opportunity to become a member. This is what the login system primarily is for. Below is a screen shot of the login page.

The code: connecting and logging in

The login script presents a form in which the user must enter his/her username and password. It is then processed by the various code bits on the page and the appropriate action is taken. Let’s go through the various scripts involved.

Connect.php. This script is included on any page that uses the database. It contains the information that connects the application to the database:

The $error variable is set in the actual code that processes the username and password.

{mospagebreak title=The code: form verification}

Javascript Code. This script provides the first code of authentication. It checks to see if the user has filled in all the required fields on the form. If the user has not done so, a dialog box pops up that tells the user exactly which field he or she did not fill in:

Although this is a good way to check whether the user has indeed filled in all the needed values, it does not always work. This is because JavaScript can be turned off by some users, so if you rely on Javascript alone to verify user input, you will have a lot of problems later on.

PHP Form Code. This is the main code that processes the form information. It also acts as the second level of verification of form data. At first it checks to see if the form has been submitted. If it has been submitted, it checks to see if the form data that is contained within the submitted form has values. Its third step is to check whether the username and password match any that are in the database. Based on the outcome, the userID of the user will be stored in a session variable together with other data, and then the user will either be put through to the index page of the application or an error and the login page will be displayed:

Here you can also check to see if the right kind of username and password have been submitted. For example, you can make the user submit a username that begins with “usr.username,” then use regex to find out if that pattern has been followed. Also if you are really serious about security, you should use MD5 encryption here. This is to stop SQL injection and to make your form safer.

If all the variables are set, it then continues to insert the form data into the database and send the user to the login page with a message variable with the value of one. This variable will be used in the login page to display a successful registration message:

User profile. This page is used to show user information and can also be used to update user information. All of the user’s information, such as the user name and password, is displayed in a form. Sensitive information such as passwords are displayed with asterisks, for security reasons: